Miriam Posted August 5, 2004 Share Posted August 5, 2004 I received an email about this and I'm wondering if our servers are affected by this and will they need the patch fix? Here's the info: US-CERT Technical Cyber Security Alert Would like to hear from the tech people about this. Thanks. Quote Link to comment Share on other sites More sharing options...
ThumpAZ Posted August 5, 2004 Share Posted August 5, 2004 Miriam, I cannot answer definitively, but I will make sure it is called to the attention of the paid staff for a response here. Thanks for calling attention to this potential hazard Quote Link to comment Share on other sites More sharing options...
MikeJ Posted August 5, 2004 Share Posted August 5, 2004 Minor security package updates such as these are done transparently to end users. Plus the level of exposure for a server that has this vulnerability is considerably low. First, it only allows execution of code as the user the process is running as, and it requires the ability for a user to introduce a malicious .png file to the server and get the server to process the file using the png libraries. This would generally only potentially apply if someone has something like an application that does png conversions from an untrusted source, such as allowing anyone to upload files. This vulnerability is more of an issue for client machines that are using libpng (desktop linux, *bsd, etc...) as you could be targetted by websites hosting malicious .png files when you browse them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.